Entire books are devoted to Windows security—how to secure Windows clients, servers, headless machines, terminals, web servers, and more. In this chapter, however, I've chosen to highlight some of the useful tools for managing and automating security on Windows Server 2008. I've also included some references to security policy settings that most organizations will find helpful.
In the interest of full disclosure, I must say I have not included an exhaustive reference to every security setting to be found in Windows. So many options are unique to different environments that I've found the best strategy for this particular book is to give a broad overview of security policy management tools, along with some general settings that can increase security greatly, and then let you explore the Windows security features yourself.
Most small- and medium-size businesses have several issues to keep in mind when securing their configurations. Some of these might include the following:
The organization comprises multiple servers, and many have distinct and independent roles. It is difficult to be consistent and strict enough with a security policy when multiple machines are performing different functions, each with its own security requirements.
Older operating systems and applications are in use. Older programs and systems often use programming and communication techniques that, although secure enough when they were developed, can be exploited easily by today's automated attacks. It can be problematic to ensure that these older platforms are supported correctly and are protected adequately from a constant security threat.
In some markets and professions, you must deal with legal procedures, protections, and consequences. For instance, in the medical profession, the Health Insurance Portability and Accountability Act (HIPAA) has presented some challenges regarding data privacy and safekeeping that are making life more "interesting" (in the ancient-Chinese-curse sense of the term) for IT personnel. Such legislation and regulation can alter your security policy in specific situations.
There might be a lack of physical security at the site, which makes any computer-based security configurations you plan to make effective. After all, if someone can make off with your domain controller, all bets are off.
There might be a lack of security expertise among the technical employees at your company. Constructing and then implementing a security policy is a challenging task that requires patience and knowledge. Lacking these two qualities can make for a painful process. Of course, this chapter will help with the latter.
There might be threats—internal, external, or even accidental—that could damage your systems or harm the valuable data contained therein. Take a hurricane, for example. What happens when looters grab the backup tape from the regional bank whose walls have collapsed during the storm? What kinds of bad things might those thieves do with that information?
Finally, the most common scenario, there are limited resources—in terms of both money and labor—to implement secure solutions.
Of course, not all of these conditions apply to all businesses, but it's very likely that each is an obstacle that most organizations run into. In this chapter, I'll provide cost-effective ways to address some of these obstacles.
Server security operates off the CIA principle, which is depicted in Figure 7-1.
CIA stands for confidentiality, integrity, and availability. Confidentiality is the concept that information access is protected and restricted to only those who should have access. Integrity is the concept that information is protected from being tampered with or otherwise modified without prior authorization. And availability refers to ensuring that access to the information is available at all times, or at least as often as possible.
Keeping the CIA framework in mind, you can take a number of different security approaches at the server level. One of the most successful methods of preserving confidentiality, integrity, and availability is the layered approach, which both reduces an attacker's chance of success and increases his risk of detection. The layered approach comprises seven layers, each with its own methods and mechanisms for protection:
- Data level
The data level guards against malicious activity performed on the actual data. Protection at the data level includes ACLs and encrypting filesystems. Safeguards at this level cover the confidentiality and integrity levels of the CIA triangle.
- Application level
Application-level security protects individual programs from attack. Security at this level can include hardening the applications themselves, installing security patches from the vendors, and activating antivirus software and performing regular scans. Safeguards at this level cover the integrity and availability levels of the CIA triangle.
- Host level
Protection at the host level secures the computer and its operating system from attack, which nearly eliminates the potential for attack on the data and application levels. Protection at this level includes hardening the operating system itself (which is the primary focus of this chapter), managing security patches, authentication, authorization, and accounting, and host-based intrusion detection systems. Safeguards at this level cover the integrity and availability levels of the CIA triangle.
- Internal network level
The organization's network is the next level, which protects against intruders entering at the perimeter and sniffing traffic, looking for keys to accessing levels higher than this one. Protection at this level includes segmenting your network into subnets, using IP Security (IPSec), and installing network intrusion detection systems. Safeguards at this level include all facets of the CIA triangle: confidentiality, integrity, and availability.
- Perimeter level
The perimeter is where the internal network connects to other external networks, including those to other branches of the same corporation and connections to the Internet. Perimeter-level protections might include firewalls and quarantining virtual private network (VPN) and dial-up access. Safeguards at this level include all facets of the CIA triangle: confidentiality, integrity, and availability.
- Physical security level
The physical security level involves protecting the real estate in which the business practices. Guards, locks, and tracking devices all comprise protection at this level. Safeguards at this level cover the confidentiality and integrity levels of the CIA triangle.
- Policies, procedures, and awareness level
This level involves educating users as to best practices and acceptable and unacceptable methods of dealing with information technology. Safeguards at this level can include all facets of the CIA triangle: confidentiality, integrity, and availability.